Obama admin declassifies major cybersecurity plans

The Obama administration has lifted the curtain on some details of the …

Bowing to pressure from activist groups and to the dictates of common sense, the Obama administration has done what the Bush administration wouldn't and declassified some general information [PDF] about the Comprehensive National Cybersecurity Initiative (CNCI), a sweeping program that the Bush White House launched in early 2008 to protect the government and critical civilian networks from cyberattacks. It turns out that, like at least one other effort launched by the Bush administration in the name of national security, the program was too secret for its own good.

In May of 2008, some members of congress became frustrated with the CNCI's combination of extreme secrecy and hefty pricetag, and asked in vain for someone from the Bush administration to give a bit more information on it than a former DHS official's brief description of it as a "Manhattan Project to defend cyber networks." Civil libertarians were also up in arms over the program, as were security experts—the former because the extent of the government's intrusion into private networks wasn't known, and the latter because no one could say who, if anyone, had been consulted in the plan's formulation.

After the arrival of the Obama administration at the close of the year, the Congressional Research Service began working on a review of legal basis underpinning CNCI. The study found that the program's constitutional basis was questionable because Bush had mainly relied on his Article II powers in issuing the presidential directive that started the program. In other words, because Congress couldn't be told about it, they couldn't give it the level of explicit backing that would've put a program with this much impact on the private sector on firmer constitutional footing. The program was also too secret to enjoy the benefit of any real third-party scrutiny.

This past Tuesday, the the Obama administration lifted a bit of the veil on the program. Bush's original directive wasn't declassified, but the White House did release a five-page summary of the program to the public.

The summary document gives brief descriptions of the 12 different initiatives that make up the program, each of which is as long on ambition as it is short on detail. The document ultimately reads like a kind of wish list for national cybersecurity, and one in which some of the goals are at odds with one another.

Perhaps the main tension in the document is between the federal government's need to "centralize," "manage," and "control," and the reality that network security benefits from redundancy, federation, and distribution. For instance, take the description of initiative #4, which I reproduce below in its entirety:

Initiative #4: Coordinate and redirect research and development (R&D) efforts. No single individual or organization is aware of all of the cyber-related R&D activities being funded by the Government. This initiative is developing strategies and structures for coordinating all cyber R&D sponsored or conducted by the U.S. government, both classified and unclassified, and to redirect that R&D where needed. This Initiative is critical to eliminate redundancies in federally funded cybersecurity research, and to identify research gaps, prioritize R&D efforts, and ensure the taxpayers are getting full value for their money as we shape our strategic investments.

But is it really a problem that federally support cyber-related R&D isn't centrally directed and completely lacking in redundancy? Are central planning and lack of redundancy really conducive to the kind of innovation that's required for the US to keep up in cyberspace?

I'm reminded of the interview that I did with Stanford president and RISC computing pioneer John Hennessy, where we touched on this very topic. In the context of a discussion about federal and monopoly funding for "blue sky" research—where a bunch of smart guys in different labs get a budget from the government, or from a monopoly like Ma Bell or Cold War-era IBM, and are let loose for years to just chase their geek fancy—Hennessy attributed the birth of RISC to the kind of multi-lab redundancy that's now considered wasteful.

We need to move back to the model where DARPA is funding groups that can work for a long period of time on hard systems problems. What led to lots of the breakthroughs in the VLSI arena was that there was a symbiotic group of universities working together, and there was a lot of sharing of ideas and stuff going on. I think that when we [at Stanford] did the RISC work, had Berkely not been there, either one of us alone would've been branded as a heretic... because IBM was below the radar, and nobody knew about the work. One of us couldn't have survived alone in this environment.

Back in the 50s, before milestones and benchmarks and redundancy elimination, the federal government knew exactly how to spur innovation: fund academic labs that specialized in certain areas, and leave them alone to do their thing.

Unfortunately, what the CNCI document describes sounds like the opposite of innovative, which isn't a surprise, given that the impulse to conceive and develop it entirely in secret was the opposite of democratic. In the end, there's no better way to stifle innovation than to let a single entity control it. But that's the kind of wrong-headed groupthink that takes root and grows in small groups that are restricted by excessive secrecy.